Jennifer is correct, but... 1st: I'M NOT A SECURITY SPECIALIST. Hopefully someone who is can help with specifics with this one.
There are two aspects here that I can think of off hand:
- Security in the sense that whether the app its self is "secure" in how it works (such as no data leaks), and
- Security in that there is no MITM (man in the middle) or other data corruption issue that can in any way alter a file (which an "app" is).
Let's say you are just downloading an app. If the app provider provides a
checksum for the app, you can verify whether or not the content of the app is exactly what is is supposed to be.
Also see:
How to verify the checksum of a downloaded file (pgp, sha, etc.)? for some thoughts.
Microsoft's helper:
Download Microsoft File Checksum Integrity Verifier from Official Microsoft Download Center
Windows 10's Built In checker:
What Is a Checksum (and Why Should You Care)?
But remember, checksums are somewhat analogous to filesystem "fingerprints"- no two should ever be alike, and any modification to the file should change the checksum. But checksums are unsuitable for any kind of security work:
CRCs cannot be safely relied upon to verify data integrity (that no changes whatsoever have occurred), since it's extremely easy to intentionally change data without modifying its CRC.
That's probably because CRC is a simple algorithm designed for speed - not security. A checksum is really just a specific kind of
hash. Steve Friedl's
Illustrated Guide to Cryptographic Hashes is an excellent, highly visual introduction to the more general theory behind hashing.
NOTE: If the app was not coded well, or if the coder intentionally puts in malicious code, a check sum is useless.
Now as to the "app" its self. As per Jennifer's husband's response: This is the type of thing that pops up several times a year (or so it seems:
22 apps with 2 million+ Google Play downloads had a malicious backdoor and
Google Play apps with as many as 2.6m downloads added devices to botnet are two examples - Now, these are apps available to the public. If you are thinking of making/coding an app and posting it somewhere to be downloaded by specific people this shouldn't be an issue.
I am adding to
@Jen Kirley 's response to make clear that validation of software, which "apps" are, you need a security specialist. There are quite a few potential security issues that have to be considered.